Can the services inside the VPC be authentication less?

Question

We have a micro-services architecture, where many microservers need to talk to each other for data.

These services are inside a VPC.

I need to understand if the HTTP APIs of these microservices need not have any authentication if they are no active clients(mobile and web) talking to/connected to these services.

Our current worry is, that if a system inside gets compromised, the attacker can get access to all the systems if leaving the services to be authentication less.

Note: These services are connected to the Internet via NAT gateway, so one way communication can happen if the services want to make an API call to third parties.

score 1 · Answer 1 · answered May 26 '22 at 15:15

1

Your worry isn't wrong.

If an attacker was inside the VPC for some reason (remote code execution on a server inside the VPC, hacked admin account, etc) they would have unfettered access to other systems if they are left unauthenticated.

This is the concept of defense in depth. Even if one security control is circumvented, there should be others to prevent total control.

answered May 26 '22 at 15:15

foreverska

1,115
11

Thanks for writing this down! It's helpful. I am not a security expert, I would like to know all the ways that someone can enter VPC. Where is a good place to research this? – Vamsi Pavan Mahesh May 27 '22 at 13:20

Can the services inside the VPC be authentication less?

1 Answers1